Bug #582

PF states bug

Added by bastyaelvtars almost 14 years ago. Updated over 10 years ago.

Running 1.8.0 here and when I flush the state table in PF (pfctl -F state) then no new state entries get created or at least no program can show them, there are always 0 states (of coursee there had been thousands of them before flushing).



Updated by corecode almost 14 years ago

I cannot reproduce this on 1.9-DEVEL. Does this problem persist?


Updated by bastyaelvtars almost 14 years ago

On Thu, 19 Apr 2007 12:20:22 -0000
"Simon 'corecode' Schubert" <> wrote:

Don't know, is DEVEL stable enough for me to try? Just asking because I can only try this on aproduction machine. If yes, then I'll post feedback on this next week.


Updated by corecode almost 14 years ago

Ah, don't worry. Does it persist on 1.8-RELEASE?



Updated by bastyaelvtars almost 14 years ago

On Thu, 19 Apr 2007 14:15:01 -0000
Simon 'corecode' Schubert <> wrote:


szg@fw:/home/szg# pfctl -F all
rules cleared
nat cleared
1 tables deleted.
altq cleared
130 states cleared
source tracking entries cleared
pf: statistics cleared
After a few minutes (NB: this is a bridge filtering 70 hosts which are doing soooo much P2P:
szg@fw:/home/szg# pfctl -si
Status: Enabled for 0 days 23:06:11 Debug: Urgent

Hostid: 0xbaafed3e

Interface Stats for sk1 IPv4 IPv6
Bytes In 72602328 0
Bytes Out 272202489 0
Packets In
Passed 203338 0
Blocked 22 0
Packets Out
Passed 292272 0
Blocked 0 0

State Table Total Rate
current entries 0
searches 1983044 23.8/s
inserts 0 0.0/s
removals 0 0.0/s
match 1983044 23.8/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 36 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
szg@fw:/home/szg# uname -a
DragonFly 1.8.1-RELEASE DragonFly 1.8.1-RELEASE #5: Tue Mar 27 23:27:44 CEST 2007 :/usr/obj/usr/src/sys/BRIDGE i386

Since the number of matches keep increasing on each information query, I suspect that this is actually an error in query/response to it, maybe there are actual states (any way to check that?)


Updated by bastyaelvtars over 13 years ago

As this bug has been marked as a blocker for 1.10, and I am the
reporter, I would like to rephrase my last question:

Is there an actual way to get whether new states are actually created?
You can supply me a patch that e. g. writes a log entry after having
created a state or does a notification in a different way, it just has
to be kernel-level, since the only problem may be that PF fails to
report state info back to userland if a flush has been done.

If states get created just pfctl and pftop cannot retrieve this
information, I consider the issue a minor annoyance (and not a release
blocker in any way), since it does not impair PF's actual work.


Updated by alexh over 11 years ago

anyone still experiences this issue?
Should be long solved since it used to be a blocker for 1.10-RELEASE ;)

Alex Hornung


Updated by sjg over 10 years ago

pf was recently updated in master, does it fix this issue?

